Git clients that support delay-capable clean / smudge filters and symbolic links on case-insensitive file systems are vulnerable to remote code execution while cloning a repository. Usage of clean / smudge filters through Git LFS and a case-insensitive file system changes the checkout order of repository files which enables the placement of a Git hook in the .git/hooks directory. By default, this Metasploit module writes a post-checkout script so that the payload will automatically be executed upon checkout of the repository.
e98b3afb62859d7020a7dd7d9fa1db727066effb6fcaf6be5eb8fbff19874b9d
Gentoo Linux Security Advisory 202104-1 - A vulnerability has been found in Git that could allow a remote attacker to execute arbitrary code. Versions less than 2.26.3 are affected.
501280a83ea3d468493a03bc6b8c2fd8cb7796e4399b355699ce16447e85a20b
Apple Security Advisory 2021-04-26-10 - Xcode 12.5 addresses an arbitrary code execution vulnerability.
39bca81a5aa62d2d72980d7d122769fc684d6c93ebeed0118673d5f8efea0142
Ubuntu Security Notice 4761-1 - Matheus Tavares discovered that Git incorrectly handled delay-capable clean/smudge filters when being used on case-insensitive filesystems. A remote attacker could possibly use this issue to execute arbitrary code.
2862a5d57fdf9124f9b200582cb31794ad9fc9721ccbe477d6d00f636c34fc81